Windows 10 Creators Update changed the way DNS works. It used to resolve DNS
address using all available adapters and IP addresses in parallel, now it still
resolves addresses using all available adapters but in sequence, beginning with
random adapter.
This interfere with how --block-outside-dns currently work. Sometimes OS
chooses VPN TAP adapter and things work as intended, sometimes the other
adapter and user have to wait until DNS request times out and DNS resolution
goes via VPN.
This behaviour introduces significant lag for web browsing.
Another thing is that Windows always prefers IPv6, just as any other OS. Some
home routers give IPv6 Unique local address with DNS server to the computers
using DHCPv6, even if there's no IPv6 connectivity from the provider.
More importantly, DisableSmartNameResolution switch, which didn't work in
previous Windows 10 versions, now works correctly (see below).
*Workaround #1*, If VPN infrastructure is IPv6-enabled and pushes IPv6 address
and DNS and route to the client:
1. Apply DisableSmartNameResolution registry patch.
*Workaround #2*, if VPN infrastructure is not IPv6-enabled:
1. Apply DisableSmartNameResolution registry patch.
2. If there's IPv6 DNS from the router, set static IPv6 DNS to ::2
(alternative to 127.0.0.2 in IPv4) or just disable IPv6 completely on internet
interface.
*Workaround #3*, if VPN infrastructure is not IPv6-enabled and client's
infrastructure is not IPv6-enabled:
1. Apply DisableSmartNameResolution registry patch.
2. Push IPv6 Unique local address and DNS server to the client, but do not
push any routes. Client would use DNS over IPv6 but would not route anything
else.
*Note*: it would route IPv6 traffic over internet interface (not via VPN)
if client's ISP is IPv6-enabled.
*Question*: Fixing registry with --block-outside-dns is simple, but what should
we do with IPv6 in OpenVPN? Should we introduce an option to disable IPv6 DNS
on other interfaces if there's no IPv6 DNS pushed from the VPN?
=== DisableSmartNameResolution.reg ===
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"DisableSmartNameResolution"=dword:00000001
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
